[ Thanks to Dave for
this link. ]
“Bind listens on port 53 UDP and TCP. TCP is normally only used
during zone transfers so it would appear that you could filter it
if you have no slaves. However If the response to a query is
greater than 1024 bytes, the server sends a partial response, and
client and server will try to redo the transaction with TCP.“Responses that big do not happen often, but they happen. And
people do quite often block 53/tcp without their world coming to an
end. But this is where one usually inserts the story about the
Great DNS Meltdown when more root servers were added. This made
queries for the root list greater than 1024 and the whole DNS
system started to break down from people violating the DNS spec
(RFC1035) and blocking TCP…”